jails What are common uses and set ups for jails?

[ioverreact]

I've never set up jails or used them but want to learn.

Can anyone tell me what common uses are and give me a practical I can try in my homelab to learn/practice setting up and managing jails?

Also, is Bastille used frequently or would I be better off using vanilla jails?

 

[Bucky]

A jail is an excellent use for a permanently internet-facing process. A process that accepts incoming data from the internet without solicitation. A process with an always-open port facing the internet. For example, an email server which waits for unsolicited port 25 connections. An exception to this generalization would be a process such as Wireguard which can sit with an "open" port facing the internet but doesn't respond to *anything* except an inquiry with the precise encryption key required to access that port; the port looks closed to any other probe. Wireguard need not be jailed.

I prefer to use the standard toolset to create and manage jails and NOT use a jail manager such as Bastille. When you master the standard toolset (it is not difficult) you will understand better what a wrapper program, such as Bastille, is doing. The standard toolset also will survive if the wrapper program subsequently isn't maintained going forward (such as happened with EZJAIL and IOCAGE).

NB: I am a hobbyist with no computer science background.

 

[Emrion]

A thread that will be likely not ending.

Jails, as the name suggests, is a means of isolation from the host OS.
I think there is nothing more to say... You know, it's all about security.
And maybe also, some functional units like linux containers.

See the handbook, luke.

Bastille is a well known and reputed software.
I don't use it. But, it's a personal choice that's not apply there.
Because, if you want to test jails technology, I read everywhere it's a good choice.

 

[wolffnx]

I think most oriented to network services, I use a jail with bind to be the only dns server in a network of 300 users more or less
it works like a charm , also web servers

some people use it to run firefox in a aislated enviroment for example
jail are one of the gems of FreeBSD

 

[wolffnx]

Bastille is a well known and reputed software.

+1 , the last time I worked with jails in a job was with bastille,make the job more easy

 

[Phishfry]

I think there is nothing more to say... You know, it's all about security.
And maybe also, some functional units like linux containers.

Well a jail also has disk speed advantages versus a Bhyve VM. Virtualization has disk penalties that a jail does not.
I also feel they are easier to spinup for temporary use.

UFS Post in thread 'chflags'

Jan 26, 2026

But then is the question , why use bastille or iocage. Just grab base.txz and untar. Your done.

Much the same argument could be made for bhyve. Why do you need a vm-assisitant when it is a one liner?
Before EFI booting you needed bhyveload but now its just one line.

I like bsdinstall for jails personally.
mkdir -p /jails/jail0
bsdinstall jail /jails/jail0

• Phishfry

•